]> andersk Git - openssh.git/blame - servconf.c
andersk / openssh.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
- djm@cvs.openbsd.org 2004/04/27 09:46:37
[openssh.git] / servconf.c
CommitLineData
8efc0c15 1/*
5260325f 2 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
3 * All rights reserved
6ae2364d 4 *
bcbf86ec 5 * As far as I am concerned, the code I have written for this software
6 * can be used freely for any purpose. Any derived versions of this
7 * software must be clearly marked as such, and if the derived work is
8 * incompatible with the protocol description in the RFC file, it must be
9 * called by a name other than "ssh" or "Secure Shell".
5260325f 10 */
8efc0c15 11
12#include "includes.h"
61a2c1da 13RCSID("$OpenBSD: servconf.c,v 1.131 2004/04/27 09:46:37 djm Exp $");
8efc0c15 14
15#include "ssh.h"
42f11eb2 16#include "log.h"
8efc0c15 17#include "servconf.h"
18#include "xmalloc.h"
a8be9f80 19#include "compat.h"
42f11eb2 20#include "pathnames.h"
21#include "tildexpand.h"
22#include "misc.h"
23#include "cipher.h"
b2552997 24#include "kex.h"
25#include "mac.h"
42f11eb2 26
396c147e 27static void add_listen_addr(ServerOptions *, char *, u_short);
28static void add_one_listen_addr(ServerOptions *, char *, u_short);
48e671d5 29
42f11eb2 30/* AF_UNSPEC or AF_INET or AF_INET6 */
31extern int IPv4or6;
1853d1ef 32/* Use of privilege separation or not */
33extern int use_privsep;
42f11eb2 34
8efc0c15 35/* Initializes the server options to their default values. */
36
6ae2364d 37void
5260325f 38initialize_server_options(ServerOptions *options)
8efc0c15 39{
5260325f 40 memset(options, 0, sizeof(*options));
e15895cd 41
42 /* Portable-specific options */
7fceb20d 43 options->use_pam = -1;
e15895cd 44
45 /* Standard Options */
48e671d5 46 options->num_ports = 0;
47 options->ports_from_cmdline = 0;
48 options->listen_addrs = NULL;
fa08c86b 49 options->num_host_key_files = 0;
0fbe8c74 50 options->pid_file = NULL;
5260325f 51 options->server_key_bits = -1;
52 options->login_grace_time = -1;
53 options->key_regeneration_time = -1;
15853e93 54 options->permit_root_login = PERMIT_NOT_SET;
5260325f 55 options->ignore_rhosts = -1;
56 options->ignore_user_known_hosts = -1;
57 options->print_motd = -1;
4f4648f9 58 options->print_lastlog = -1;
5260325f 59 options->x11_forwarding = -1;
60 options->x11_display_offset = -1;
e6e573bd 61 options->x11_use_localhost = -1;
fa649821 62 options->xauth_location = NULL;
5260325f 63 options->strict_modes = -1;
fd573618 64 options->tcp_keep_alive = -1;
5eaf8578 65 options->log_facility = SYSLOG_FACILITY_NOT_SET;
66 options->log_level = SYSLOG_LEVEL_NOT_SET;
5260325f 67 options->rhosts_rsa_authentication = -1;
8002af61 68 options->hostbased_authentication = -1;
69 options->hostbased_uses_name_from_packet_only = -1;
5260325f 70 options->rsa_authentication = -1;
fa08c86b 71 options->pubkey_authentication = -1;
5260325f 72 options->kerberos_authentication = -1;
73 options->kerberos_or_local_passwd = -1;
74 options->kerberos_ticket_cleanup = -1;
a1e30b47 75 options->kerberos_get_afs_token = -1;
7364bd04 76 options->gss_authentication=-1;
77 options->gss_cleanup_creds = -1;
5260325f 78 options->password_authentication = -1;
94ec8c6b 79 options->kbd_interactive_authentication = -1;
5ba55ada 80 options->challenge_response_authentication = -1;
5260325f 81 options->permit_empty_passwd = -1;
f00bab84 82 options->permit_user_env = -1;
5260325f 83 options->use_login = -1;
636f76ca 84 options->compression = -1;
33de75a3 85 options->allow_tcp_forwarding = -1;
5260325f 86 options->num_allow_users = 0;
87 options->num_deny_users = 0;
88 options->num_allow_groups = 0;
89 options->num_deny_groups = 0;
a8be9f80 90 options->ciphers = NULL;
b2552997 91 options->macs = NULL;
a8be9f80 92 options->protocol = SSH_PROTO_UNKNOWN;
1d1ffb87 93 options->gateway_ports = -1;
38c295d6 94 options->num_subsystems = 0;
c345cf9d 95 options->max_startups_begin = -1;
96 options->max_startups_rate = -1;
089fbbd2 97 options->max_startups = -1;
eea39c02 98 options->banner = NULL;
c5a7d788 99 options->use_dns = -1;
3ffc6336 100 options->client_alive_interval = -1;
101 options->client_alive_count_max = -1;
c8445989 102 options->authorized_keys_file = NULL;
103 options->authorized_keys_file2 = NULL;
61a2c1da 104 options->num_accept_env = 0;
1853d1ef 105
1853d1ef 106 /* Needs to be accessable in many places */
107 use_privsep = -1;
8efc0c15 108}
109
6ae2364d 110void
5260325f 111fill_default_server_options(ServerOptions *options)
8efc0c15 112{
e15895cd 113 /* Portable-specific options */
7fceb20d 114 if (options->use_pam == -1)
0a23d79f 115 options->use_pam = 0;
e15895cd 116
117 /* Standard Options */
fa08c86b 118 if (options->protocol == SSH_PROTO_UNKNOWN)
119 options->protocol = SSH_PROTO_1|SSH_PROTO_2;
120 if (options->num_host_key_files == 0) {
121 /* fill default hostkeys for protocols */
122 if (options->protocol & SSH_PROTO_1)
0f84fe37 123 options->host_key_files[options->num_host_key_files++] =
124 _PATH_HOST_KEY_FILE;
125 if (options->protocol & SSH_PROTO_2) {
126 options->host_key_files[options->num_host_key_files++] =
127 _PATH_HOST_RSA_KEY_FILE;
128 options->host_key_files[options->num_host_key_files++] =
129 _PATH_HOST_DSA_KEY_FILE;
130 }
fa08c86b 131 }
48e671d5 132 if (options->num_ports == 0)
133 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
134 if (options->listen_addrs == NULL)
2d2a2c65 135 add_listen_addr(options, NULL, 0);
0fbe8c74 136 if (options->pid_file == NULL)
42f11eb2 137 options->pid_file = _PATH_SSH_DAEMON_PID_FILE;
5260325f 138 if (options->server_key_bits == -1)
139 options->server_key_bits = 768;
140 if (options->login_grace_time == -1)
3445ca02 141 options->login_grace_time = 120;
5260325f 142 if (options->key_regeneration_time == -1)
143 options->key_regeneration_time = 3600;
15853e93 144 if (options->permit_root_login == PERMIT_NOT_SET)
145 options->permit_root_login = PERMIT_YES;
5260325f 146 if (options->ignore_rhosts == -1)
c8d54615 147 options->ignore_rhosts = 1;
5260325f 148 if (options->ignore_user_known_hosts == -1)
149 options->ignore_user_known_hosts = 0;
5260325f 150 if (options->print_motd == -1)
151 options->print_motd = 1;
4f4648f9 152 if (options->print_lastlog == -1)
153 options->print_lastlog = 1;
5260325f 154 if (options->x11_forwarding == -1)
c8d54615 155 options->x11_forwarding = 0;
5260325f 156 if (options->x11_display_offset == -1)
c8d54615 157 options->x11_display_offset = 10;
e6e573bd 158 if (options->x11_use_localhost == -1)
159 options->x11_use_localhost = 1;
fa649821 160 if (options->xauth_location == NULL)
fd9ede94 161 options->xauth_location = _PATH_XAUTH;
5260325f 162 if (options->strict_modes == -1)
163 options->strict_modes = 1;
fd573618 164 if (options->tcp_keep_alive == -1)
165 options->tcp_keep_alive = 1;
5eaf8578 166 if (options->log_facility == SYSLOG_FACILITY_NOT_SET)
5260325f 167 options->log_facility = SYSLOG_FACILITY_AUTH;
5eaf8578 168 if (options->log_level == SYSLOG_LEVEL_NOT_SET)
59c97189 169 options->log_level = SYSLOG_LEVEL_INFO;
5260325f 170 if (options->rhosts_rsa_authentication == -1)
c8d54615 171 options->rhosts_rsa_authentication = 0;
8002af61 172 if (options->hostbased_authentication == -1)
173 options->hostbased_authentication = 0;
174 if (options->hostbased_uses_name_from_packet_only == -1)
175 options->hostbased_uses_name_from_packet_only = 0;
5260325f 176 if (options->rsa_authentication == -1)
177 options->rsa_authentication = 1;
fa08c86b 178 if (options->pubkey_authentication == -1)
179 options->pubkey_authentication = 1;
5260325f 180 if (options->kerberos_authentication == -1)
eadc806d 181 options->kerberos_authentication = 0;
5260325f 182 if (options->kerberos_or_local_passwd == -1)
183 options->kerberos_or_local_passwd = 1;
184 if (options->kerberos_ticket_cleanup == -1)
185 options->kerberos_ticket_cleanup = 1;
a1e30b47 186 if (options->kerberos_get_afs_token == -1)
187 options->kerberos_get_afs_token = 0;
7364bd04 188 if (options->gss_authentication == -1)
189 options->gss_authentication = 0;
190 if (options->gss_cleanup_creds == -1)
191 options->gss_cleanup_creds = 1;
5260325f 192 if (options->password_authentication == -1)
193 options->password_authentication = 1;
94ec8c6b 194 if (options->kbd_interactive_authentication == -1)
195 options->kbd_interactive_authentication = 0;
5ba55ada 196 if (options->challenge_response_authentication == -1)
197 options->challenge_response_authentication = 1;
5260325f 198 if (options->permit_empty_passwd == -1)
c8d54615 199 options->permit_empty_passwd = 0;
f00bab84 200 if (options->permit_user_env == -1)
201 options->permit_user_env = 0;
5260325f 202 if (options->use_login == -1)
203 options->use_login = 0;
636f76ca 204 if (options->compression == -1)
205 options->compression = 1;
33de75a3 206 if (options->allow_tcp_forwarding == -1)
207 options->allow_tcp_forwarding = 1;
1d1ffb87 208 if (options->gateway_ports == -1)
209 options->gateway_ports = 0;
089fbbd2 210 if (options->max_startups == -1)
211 options->max_startups = 10;
c345cf9d 212 if (options->max_startups_rate == -1)
213 options->max_startups_rate = 100; /* 100% */
214 if (options->max_startups_begin == -1)
215 options->max_startups_begin = options->max_startups;
c5a7d788 216 if (options->use_dns == -1)
217 options->use_dns = 1;
3ffc6336 218 if (options->client_alive_interval == -1)
184eed6a 219 options->client_alive_interval = 0;
3ffc6336 220 if (options->client_alive_count_max == -1)
221 options->client_alive_count_max = 3;
5df83e07 222 if (options->authorized_keys_file2 == NULL) {
223 /* authorized_keys_file2 falls back to authorized_keys_file */
224 if (options->authorized_keys_file != NULL)
225 options->authorized_keys_file2 = options->authorized_keys_file;
226 else
227 options->authorized_keys_file2 = _PATH_SSH_USER_PERMITTED_KEYS2;
228 }
229 if (options->authorized_keys_file == NULL)
230 options->authorized_keys_file = _PATH_SSH_USER_PERMITTED_KEYS;
1853d1ef 231
2ee1b704 232 /* Turn privilege separation on by default */
1853d1ef 233 if (use_privsep == -1)
2ee1b704 234 use_privsep = 1;
e299a298 235
4165b82e 236#ifndef HAVE_MMAP
e299a298 237 if (use_privsep && options->compression == 1) {
238 error("This platform does not support both privilege "
239 "separation and compression");
240 error("Compression disabled");
241 options->compression = 0;
242 }
243#endif
244
8efc0c15 245}
246
8efc0c15 247/* Keyword tokens. */
5260325f 248typedef enum {
249 sBadOption, /* == unknown option */
e15895cd 250 /* Portable-specific options */
7fceb20d 251 sUsePAM,
e15895cd 252 /* Standard Options */
5260325f 253 sPort, sHostKeyFile, sServerKeyBits, sLoginGraceTime, sKeyRegenerationTime,
254 sPermitRootLogin, sLogFacility, sLogLevel,
0598d99d 255 sRhostsRSAAuthentication, sRSAAuthentication,
5260325f 256 sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
a1e30b47 257 sKerberosGetAFSToken,
1c590258 258 sKerberosTgtPassing, sChallengeResponseAuthentication,
94ec8c6b 259 sPasswordAuthentication, sKbdInteractiveAuthentication, sListenAddress,
4f4648f9 260 sPrintMotd, sPrintLastLog, sIgnoreRhosts,
e6e573bd 261 sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
fd573618 262 sStrictModes, sEmptyPasswd, sTCPKeepAlive,
f00bab84 263 sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
33de75a3 264 sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
b2552997 265 sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
fa08c86b 266 sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
c5a7d788 267 sBanner, sUseDNS, sHostbasedAuthentication,
184eed6a 268 sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
c8445989 269 sClientAliveCountMax, sAuthorizedKeysFile, sAuthorizedKeysFile2,
61a2c1da 270 sGssAuthentication, sGssCleanupCreds, sAcceptEnv,
2ea6de2b 271 sUsePrivilegeSeparation,
a2144546 272 sDeprecated, sUnsupported
8efc0c15 273} ServerOpCodes;
274
275/* Textual representation of the tokens. */
5260325f 276static struct {
277 const char *name;
278 ServerOpCodes opcode;
279} keywords[] = {
e15895cd 280 /* Portable-specific options */
b06b11ad 281#ifdef USE_PAM
fe46678b 282 { "usepam", sUsePAM },
b06b11ad 283#else
fe46678b 284 { "usepam", sUnsupported },
b06b11ad 285#endif
fe46678b 286 { "pamauthenticationviakbdint", sDeprecated },
e15895cd 287 /* Standard Options */
5260325f 288 { "port", sPort },
289 { "hostkey", sHostKeyFile },
fa08c86b 290 { "hostdsakey", sHostKeyFile }, /* alias */
2b87da3b 291 { "pidfile", sPidFile },
5260325f 292 { "serverkeybits", sServerKeyBits },
293 { "logingracetime", sLoginGraceTime },
294 { "keyregenerationinterval", sKeyRegenerationTime },
295 { "permitrootlogin", sPermitRootLogin },
296 { "syslogfacility", sLogFacility },
297 { "loglevel", sLogLevel },
0598d99d 298 { "rhostsauthentication", sDeprecated },
5260325f 299 { "rhostsrsaauthentication", sRhostsRSAAuthentication },
8002af61 300 { "hostbasedauthentication", sHostbasedAuthentication },
301 { "hostbasedusesnamefrompacketonly", sHostbasedUsesNameFromPacketOnly },
5260325f 302 { "rsaauthentication", sRSAAuthentication },
fa08c86b 303 { "pubkeyauthentication", sPubkeyAuthentication },
304 { "dsaauthentication", sPubkeyAuthentication }, /* alias */
1c590258 305#ifdef KRB5
5260325f 306 { "kerberosauthentication", sKerberosAuthentication },
307 { "kerberosorlocalpasswd", sKerberosOrLocalPasswd },
308 { "kerberosticketcleanup", sKerberosTicketCleanup },
bcfcc5f9 309#ifdef USE_AFS
a1e30b47 310 { "kerberosgetafstoken", sKerberosGetAFSToken },
309af4e5 311#else
312 { "kerberosgetafstoken", sUnsupported },
313#endif
a2144546 314#else
315 { "kerberosauthentication", sUnsupported },
316 { "kerberosorlocalpasswd", sUnsupported },
317 { "kerberosticketcleanup", sUnsupported },
a1e30b47 318 { "kerberosgetafstoken", sUnsupported },
a2144546 319#endif
8f73f7bb 320 { "kerberostgtpassing", sUnsupported },
a2144546 321 { "afstokenpassing", sUnsupported },
7364bd04 322#ifdef GSSAPI
323 { "gssapiauthentication", sGssAuthentication },
e377c083 324 { "gssapicleanupcredentials", sGssCleanupCreds },
7364bd04 325#else
326 { "gssapiauthentication", sUnsupported },
e377c083 327 { "gssapicleanupcredentials", sUnsupported },
7364bd04 328#endif
5260325f 329 { "passwordauthentication", sPasswordAuthentication },
94ec8c6b 330 { "kbdinteractiveauthentication", sKbdInteractiveAuthentication },
d464095c 331 { "challengeresponseauthentication", sChallengeResponseAuthentication },
332 { "skeyauthentication", sChallengeResponseAuthentication }, /* alias */
5c53a31e 333 { "checkmail", sDeprecated },
5260325f 334 { "listenaddress", sListenAddress },
335 { "printmotd", sPrintMotd },
4f4648f9 336 { "printlastlog", sPrintLastLog },
5260325f 337 { "ignorerhosts", sIgnoreRhosts },
338 { "ignoreuserknownhosts", sIgnoreUserKnownHosts },
339 { "x11forwarding", sX11Forwarding },
340 { "x11displayoffset", sX11DisplayOffset },
e6e573bd 341 { "x11uselocalhost", sX11UseLocalhost },
fa649821 342 { "xauthlocation", sXAuthLocation },
5260325f 343 { "strictmodes", sStrictModes },
344 { "permitemptypasswords", sEmptyPasswd },
f00bab84 345 { "permituserenvironment", sPermitUserEnvironment },
5260325f 346 { "uselogin", sUseLogin },
636f76ca 347 { "compression", sCompression },
fd573618 348 { "tcpkeepalive", sTCPKeepAlive },
349 { "keepalive", sTCPKeepAlive }, /* obsolete alias */
33de75a3 350 { "allowtcpforwarding", sAllowTcpForwarding },
5260325f 351 { "allowusers", sAllowUsers },
352 { "denyusers", sDenyUsers },
353 { "allowgroups", sAllowGroups },
354 { "denygroups", sDenyGroups },
a8be9f80 355 { "ciphers", sCiphers },
b2552997 356 { "macs", sMacs },
a8be9f80 357 { "protocol", sProtocol },
1d1ffb87 358 { "gatewayports", sGatewayPorts },
38c295d6 359 { "subsystem", sSubsystem },
089fbbd2 360 { "maxstartups", sMaxStartups },
eea39c02 361 { "banner", sBanner },
c5a7d788 362 { "usedns", sUseDNS },
363 { "verifyreversemapping", sDeprecated },
364 { "reversemappingcheck", sDeprecated },
3ffc6336 365 { "clientaliveinterval", sClientAliveInterval },
366 { "clientalivecountmax", sClientAliveCountMax },
c8445989 367 { "authorizedkeysfile", sAuthorizedKeysFile },
368 { "authorizedkeysfile2", sAuthorizedKeysFile2 },
1853d1ef 369 { "useprivilegeseparation", sUsePrivilegeSeparation},
61a2c1da 370 { "acceptenv", sAcceptEnv },
17a3011c 371 { NULL, sBadOption }
8efc0c15 372};
373
aa3378df 374/*
6be9a5e8 375 * Returns the number of the token pointed to by cp or sBadOption.
aa3378df 376 */
8efc0c15 377
6ae2364d 378static ServerOpCodes
5260325f 379parse_token(const char *cp, const char *filename,
380 int linenum)
8efc0c15 381{
1e3b8b07 382 u_int i;
8efc0c15 383
5260325f 384 for (i = 0; keywords[i].name; i++)
aa3378df 385 if (strcasecmp(cp, keywords[i].name) == 0)
5260325f 386 return keywords[i].opcode;
8efc0c15 387
b7c70970 388 error("%s: line %d: Bad configuration option: %s",
389 filename, linenum, cp);
5260325f 390 return sBadOption;
8efc0c15 391}
392
396c147e 393static void
2d2a2c65 394add_listen_addr(ServerOptions *options, char *addr, u_short port)
48e671d5 395{
48e671d5 396 int i;
397
398 if (options->num_ports == 0)
399 options->ports[options->num_ports++] = SSH_DEFAULT_PORT;
2d2a2c65 400 if (port == 0)
d11c1288 401 for (i = 0; i < options->num_ports; i++)
402 add_one_listen_addr(options, addr, options->ports[i]);
403 else
2d2a2c65 404 add_one_listen_addr(options, addr, port);
d11c1288 405}
406
396c147e 407static void
d11c1288 408add_one_listen_addr(ServerOptions *options, char *addr, u_short port)
409{
410 struct addrinfo hints, *ai, *aitop;
411 char strport[NI_MAXSERV];
412 int gaierr;
413
414 memset(&hints, 0, sizeof(hints));
415 hints.ai_family = IPv4or6;
416 hints.ai_socktype = SOCK_STREAM;
417 hints.ai_flags = (addr == NULL) ? AI_PASSIVE : 0;
7528d467 418 snprintf(strport, sizeof strport, "%u", port);
d11c1288 419 if ((gaierr = getaddrinfo(addr, strport, &hints, &aitop)) != 0)
420 fatal("bad addr or host: %s (%s)",
421 addr ? addr : "<NULL>",
422 gai_strerror(gaierr));
423 for (ai = aitop; ai->ai_next; ai = ai->ai_next)
424 ;
425 ai->ai_next = options->listen_addrs;
426 options->listen_addrs = aitop;
48e671d5 427}
428
2717fa0f 429int
430process_server_config_line(ServerOptions *options, char *line,
431 const char *filename, int linenum)
8efc0c15 432{
d11c1288 433 char *cp, **charptr, *arg, *p;
7528d467 434 int *intptr, value, i, n;
5260325f 435 ServerOpCodes opcode;
436
2717fa0f 437 cp = line;
438 arg = strdelim(&cp);
439 /* Ignore leading whitespace */
440 if (*arg == '\0')
704b1659 441 arg = strdelim(&cp);
2717fa0f 442 if (!arg || !*arg || *arg == '#')
443 return 0;
444 intptr = NULL;
445 charptr = NULL;
446 opcode = parse_token(arg, filename, linenum);
447 switch (opcode) {
448 /* Portable-specific options */
7fceb20d 449 case sUsePAM:
450 intptr = &options->use_pam;
2717fa0f 451 goto parse_flag;
48e671d5 452
2717fa0f 453 /* Standard Options */
454 case sBadOption:
455 return -1;
456 case sPort:
457 /* ignore ports from configfile if cmdline specifies ports */
458 if (options->ports_from_cmdline)
459 return 0;
460 if (options->listen_addrs != NULL)
461 fatal("%s line %d: ports must be specified before "
3a454b6a 462 "ListenAddress.", filename, linenum);
2717fa0f 463 if (options->num_ports >= MAX_PORTS)
464 fatal("%s line %d: too many ports.",
465 filename, linenum);
466 arg = strdelim(&cp);
467 if (!arg || *arg == '\0')
468 fatal("%s line %d: missing port number.",
469 filename, linenum);
470 options->ports[options->num_ports++] = a2port(arg);
471 if (options->ports[options->num_ports-1] == 0)
472 fatal("%s line %d: Badly formatted port number.",
473 filename, linenum);
474 break;
475
476 case sServerKeyBits:
477 intptr = &options->server_key_bits;
5260325f 478parse_int:
2717fa0f 479 arg = strdelim(&cp);
480 if (!arg || *arg == '\0')
481 fatal("%s line %d: missing integer value.",
482 filename, linenum);
483 value = atoi(arg);
484 if (*intptr == -1)
485 *intptr = value;
486 break;
487
488 case sLoginGraceTime:
489 intptr = &options->login_grace_time;
e2b1fb42 490parse_time:
2717fa0f 491 arg = strdelim(&cp);
492 if (!arg || *arg == '\0')
493 fatal("%s line %d: missing time value.",
494 filename, linenum);
495 if ((value = convtime(arg)) == -1)
496 fatal("%s line %d: invalid time value.",
497 filename, linenum);
498 if (*intptr == -1)
499 *intptr = value;
500 break;
501
502 case sKeyRegenerationTime:
503 intptr = &options->key_regeneration_time;
504 goto parse_time;
505
506 case sListenAddress:
507 arg = strdelim(&cp);
508 if (!arg || *arg == '\0' || strncmp(arg, "[]", 2) == 0)
509 fatal("%s line %d: missing inet addr.",
510 filename, linenum);
511 if (*arg == '[') {
512 if ((p = strchr(arg, ']')) == NULL)
513 fatal("%s line %d: bad ipv6 inet addr usage.",
e2b1fb42 514 filename, linenum);
2717fa0f 515 arg++;
516 memmove(p, p+1, strlen(p+1)+1);
517 } else if (((p = strchr(arg, ':')) == NULL) ||
518 (strchr(p+1, ':') != NULL)) {
519 add_listen_addr(options, arg, 0);
e2b1fb42 520 break;
2717fa0f 521 }
522 if (*p == ':') {
523 u_short port;
5260325f 524
2717fa0f 525 p++;
526 if (*p == '\0')
527 fatal("%s line %d: bad inet addr:port usage.",
48e671d5 528 filename, linenum);
2717fa0f 529 else {
530 *(p-1) = '\0';
531 if ((port = a2port(p)) == 0)
532 fatal("%s line %d: bad port number.",
d11c1288 533 filename, linenum);
2717fa0f 534 add_listen_addr(options, arg, port);
d11c1288 535 }
2717fa0f 536 } else if (*p == '\0')
537 add_listen_addr(options, arg, 0);
538 else
539 fatal("%s line %d: bad inet addr usage.",
540 filename, linenum);
541 break;
542
543 case sHostKeyFile:
544 intptr = &options->num_host_key_files;
545 if (*intptr >= MAX_HOSTKEYS)
546 fatal("%s line %d: too many host keys specified (max %d).",
547 filename, linenum, MAX_HOSTKEYS);
548 charptr = &options->host_key_files[*intptr];
fa649821 549parse_filename:
2717fa0f 550 arg = strdelim(&cp);
551 if (!arg || *arg == '\0')
552 fatal("%s line %d: missing file name.",
553 filename, linenum);
554 if (*charptr == NULL) {
555 *charptr = tilde_expand_filename(arg, getuid());
556 /* increase optional counter */
557 if (intptr != NULL)
558 *intptr = *intptr + 1;
559 }
560 break;
0fbe8c74 561
2717fa0f 562 case sPidFile:
563 charptr = &options->pid_file;
564 goto parse_filename;
5260325f 565
2717fa0f 566 case sPermitRootLogin:
567 intptr = &options->permit_root_login;
568 arg = strdelim(&cp);
569 if (!arg || *arg == '\0')
570 fatal("%s line %d: missing yes/"
571 "without-password/forced-commands-only/no "
572 "argument.", filename, linenum);
573 value = 0; /* silence compiler */
574 if (strcmp(arg, "without-password") == 0)
575 value = PERMIT_NO_PASSWD;
576 else if (strcmp(arg, "forced-commands-only") == 0)
577 value = PERMIT_FORCED_ONLY;
578 else if (strcmp(arg, "yes") == 0)
579 value = PERMIT_YES;
580 else if (strcmp(arg, "no") == 0)
581 value = PERMIT_NO;
582 else
583 fatal("%s line %d: Bad yes/"
584 "without-password/forced-commands-only/no "
585 "argument: %s", filename, linenum, arg);
586 if (*intptr == -1)
587 *intptr = value;
588 break;
589
590 case sIgnoreRhosts:
591 intptr = &options->ignore_rhosts;
5260325f 592parse_flag:
2717fa0f 593 arg = strdelim(&cp);
594 if (!arg || *arg == '\0')
595 fatal("%s line %d: missing yes/no argument.",
596 filename, linenum);
597 value = 0; /* silence compiler */
598 if (strcmp(arg, "yes") == 0)
599 value = 1;
600 else if (strcmp(arg, "no") == 0)
601 value = 0;
602 else
603 fatal("%s line %d: Bad yes/no argument: %s",
604 filename, linenum, arg);
605 if (*intptr == -1)
606 *intptr = value;
607 break;
608
609 case sIgnoreUserKnownHosts:
610 intptr = &options->ignore_user_known_hosts;
611 goto parse_flag;
612
2717fa0f 613 case sRhostsRSAAuthentication:
614 intptr = &options->rhosts_rsa_authentication;
615 goto parse_flag;
616
617 case sHostbasedAuthentication:
618 intptr = &options->hostbased_authentication;
619 goto parse_flag;
620
621 case sHostbasedUsesNameFromPacketOnly:
622 intptr = &options->hostbased_uses_name_from_packet_only;
623 goto parse_flag;
624
625 case sRSAAuthentication:
626 intptr = &options->rsa_authentication;
627 goto parse_flag;
628
629 case sPubkeyAuthentication:
630 intptr = &options->pubkey_authentication;
631 goto parse_flag;
d0ec7f42 632
2717fa0f 633 case sKerberosAuthentication:
634 intptr = &options->kerberos_authentication;
635 goto parse_flag;
5260325f 636
2717fa0f 637 case sKerberosOrLocalPasswd:
638 intptr = &options->kerberos_or_local_passwd;
639 goto parse_flag;
5260325f 640
2717fa0f 641 case sKerberosTicketCleanup:
642 intptr = &options->kerberos_ticket_cleanup;
643 goto parse_flag;
d0ec7f42 644
a1e30b47 645 case sKerberosGetAFSToken:
646 intptr = &options->kerberos_get_afs_token;
647 goto parse_flag;
648
7364bd04 649 case sGssAuthentication:
650 intptr = &options->gss_authentication;
651 goto parse_flag;
652
653 case sGssCleanupCreds:
654 intptr = &options->gss_cleanup_creds;
655 goto parse_flag;
656
2717fa0f 657 case sPasswordAuthentication:
658 intptr = &options->password_authentication;
659 goto parse_flag;
5260325f 660
2717fa0f 661 case sKbdInteractiveAuthentication:
662 intptr = &options->kbd_interactive_authentication;
663 goto parse_flag;
8002af61 664
2717fa0f 665 case sChallengeResponseAuthentication:
666 intptr = &options->challenge_response_authentication;
667 goto parse_flag;
8002af61 668
2717fa0f 669 case sPrintMotd:
670 intptr = &options->print_motd;
671 goto parse_flag;
5260325f 672
2717fa0f 673 case sPrintLastLog:
674 intptr = &options->print_lastlog;
675 goto parse_flag;
5260325f 676
2717fa0f 677 case sX11Forwarding:
678 intptr = &options->x11_forwarding;
679 goto parse_flag;
5260325f 680
2717fa0f 681 case sX11DisplayOffset:
682 intptr = &options->x11_display_offset;
683 goto parse_int;
8efc0c15 684
e6e573bd 685 case sX11UseLocalhost:
686 intptr = &options->x11_use_localhost;
687 goto parse_flag;
688
2717fa0f 689 case sXAuthLocation:
690 charptr = &options->xauth_location;
691 goto parse_filename;
5260325f 692
2717fa0f 693 case sStrictModes:
694 intptr = &options->strict_modes;
695 goto parse_flag;
5260325f 696
fd573618 697 case sTCPKeepAlive:
698 intptr = &options->tcp_keep_alive;
2717fa0f 699 goto parse_flag;
33de75a3 700
2717fa0f 701 case sEmptyPasswd:
702 intptr = &options->permit_empty_passwd;
703 goto parse_flag;
5260325f 704
f00bab84 705 case sPermitUserEnvironment:
706 intptr = &options->permit_user_env;
707 goto parse_flag;
708
2717fa0f 709 case sUseLogin:
710 intptr = &options->use_login;
711 goto parse_flag;
5260325f 712
636f76ca 713 case sCompression:
714 intptr = &options->compression;
715 goto parse_flag;
716
2717fa0f 717 case sGatewayPorts:
718 intptr = &options->gateway_ports;
719 goto parse_flag;
5260325f 720
c5a7d788 721 case sUseDNS:
722 intptr = &options->use_dns;
2717fa0f 723 goto parse_flag;
5260325f 724
2717fa0f 725 case sLogFacility:
726 intptr = (int *) &options->log_facility;
727 arg = strdelim(&cp);
728 value = log_facility_number(arg);
5eaf8578 729 if (value == SYSLOG_FACILITY_NOT_SET)
2717fa0f 730 fatal("%.200s line %d: unsupported log facility '%s'",
731 filename, linenum, arg ? arg : "<NONE>");
732 if (*intptr == -1)
733 *intptr = (SyslogFacility) value;
734 break;
735
736 case sLogLevel:
737 intptr = (int *) &options->log_level;
738 arg = strdelim(&cp);
739 value = log_level_number(arg);
5eaf8578 740 if (value == SYSLOG_LEVEL_NOT_SET)
2717fa0f 741 fatal("%.200s line %d: unsupported log level '%s'",
742 filename, linenum, arg ? arg : "<NONE>");
743 if (*intptr == -1)
744 *intptr = (LogLevel) value;
745 break;
746
747 case sAllowTcpForwarding:
748 intptr = &options->allow_tcp_forwarding;
749 goto parse_flag;
750
1853d1ef 751 case sUsePrivilegeSeparation:
752 intptr = &use_privsep;
753 goto parse_flag;
754
2717fa0f 755 case sAllowUsers:
756 while ((arg = strdelim(&cp)) && *arg != '\0') {
757 if (options->num_allow_users >= MAX_ALLOW_USERS)
758 fatal("%s line %d: too many allow users.",
759 filename, linenum);
7528d467 760 options->allow_users[options->num_allow_users++] =
761 xstrdup(arg);
2717fa0f 762 }
763 break;
a8be9f80 764
2717fa0f 765 case sDenyUsers:
766 while ((arg = strdelim(&cp)) && *arg != '\0') {
767 if (options->num_deny_users >= MAX_DENY_USERS)
768 fatal( "%s line %d: too many deny users.",
769 filename, linenum);
7528d467 770 options->deny_users[options->num_deny_users++] =
771 xstrdup(arg);
2717fa0f 772 }
773 break;
b2552997 774
2717fa0f 775 case sAllowGroups:
776 while ((arg = strdelim(&cp)) && *arg != '\0') {
777 if (options->num_allow_groups >= MAX_ALLOW_GROUPS)
778 fatal("%s line %d: too many allow groups.",
779 filename, linenum);
7528d467 780 options->allow_groups[options->num_allow_groups++] =
781 xstrdup(arg);
2717fa0f 782 }
783 break;
a8be9f80 784
2717fa0f 785 case sDenyGroups:
786 while ((arg = strdelim(&cp)) && *arg != '\0') {
787 if (options->num_deny_groups >= MAX_DENY_GROUPS)
788 fatal("%s line %d: too many deny groups.",
789 filename, linenum);
790 options->deny_groups[options->num_deny_groups++] = xstrdup(arg);
791 }
792 break;
38c295d6 793
2717fa0f 794 case sCiphers:
795 arg = strdelim(&cp);
796 if (!arg || *arg == '\0')
797 fatal("%s line %d: Missing argument.", filename, linenum);
798 if (!ciphers_valid(arg))
799 fatal("%s line %d: Bad SSH2 cipher spec '%s'.",
800 filename, linenum, arg ? arg : "<NONE>");
801 if (options->ciphers == NULL)
802 options->ciphers = xstrdup(arg);
803 break;
804
805 case sMacs:
806 arg = strdelim(&cp);
807 if (!arg || *arg == '\0')
808 fatal("%s line %d: Missing argument.", filename, linenum);
809 if (!mac_valid(arg))
810 fatal("%s line %d: Bad SSH2 mac spec '%s'.",
811 filename, linenum, arg ? arg : "<NONE>");
812 if (options->macs == NULL)
813 options->macs = xstrdup(arg);
814 break;
815
816 case sProtocol:
817 intptr = &options->protocol;
818 arg = strdelim(&cp);
819 if (!arg || *arg == '\0')
820 fatal("%s line %d: Missing argument.", filename, linenum);
821 value = proto_spec(arg);
822 if (value == SSH_PROTO_UNKNOWN)
823 fatal("%s line %d: Bad protocol spec '%s'.",
184eed6a 824 filename, linenum, arg ? arg : "<NONE>");
2717fa0f 825 if (*intptr == SSH_PROTO_UNKNOWN)
826 *intptr = value;
827 break;
828
829 case sSubsystem:
830 if (options->num_subsystems >= MAX_SUBSYSTEMS) {
831 fatal("%s line %d: too many subsystems defined.",
184eed6a 832 filename, linenum);
2717fa0f 833 }
834 arg = strdelim(&cp);
835 if (!arg || *arg == '\0')
836 fatal("%s line %d: Missing subsystem name.",
184eed6a 837 filename, linenum);
2717fa0f 838 for (i = 0; i < options->num_subsystems; i++)
839 if (strcmp(arg, options->subsystem_name[i]) == 0)
840 fatal("%s line %d: Subsystem '%s' already defined.",
184eed6a 841 filename, linenum, arg);
2717fa0f 842 options->subsystem_name[options->num_subsystems] = xstrdup(arg);
843 arg = strdelim(&cp);
844 if (!arg || *arg == '\0')
845 fatal("%s line %d: Missing subsystem command.",
184eed6a 846 filename, linenum);
2717fa0f 847 options->subsystem_command[options->num_subsystems] = xstrdup(arg);
848 options->num_subsystems++;
849 break;
850
851 case sMaxStartups:
852 arg = strdelim(&cp);
853 if (!arg || *arg == '\0')
854 fatal("%s line %d: Missing MaxStartups spec.",
184eed6a 855 filename, linenum);
2717fa0f 856 if ((n = sscanf(arg, "%d:%d:%d",
857 &options->max_startups_begin,
858 &options->max_startups_rate,
859 &options->max_startups)) == 3) {
860 if (options->max_startups_begin >
861 options->max_startups ||
862 options->max_startups_rate > 100 ||
863 options->max_startups_rate < 1)
c345cf9d 864 fatal("%s line %d: Illegal MaxStartups spec.",
97de229c 865 filename, linenum);
2717fa0f 866 } else if (n != 1)
867 fatal("%s line %d: Illegal MaxStartups spec.",
868 filename, linenum);
869 else
870 options->max_startups = options->max_startups_begin;
871 break;
872
873 case sBanner:
874 charptr = &options->banner;
875 goto parse_filename;
876 /*
877 * These options can contain %X options expanded at
878 * connect time, so that you can specify paths like:
879 *
880 * AuthorizedKeysFile /etc/ssh_keys/%u
881 */
882 case sAuthorizedKeysFile:
883 case sAuthorizedKeysFile2:
884 charptr = (opcode == sAuthorizedKeysFile ) ?
885 &options->authorized_keys_file :
886 &options->authorized_keys_file2;
887 goto parse_filename;
888
889 case sClientAliveInterval:
890 intptr = &options->client_alive_interval;
891 goto parse_time;
892
893 case sClientAliveCountMax:
894 intptr = &options->client_alive_count_max;
895 goto parse_int;
896
61a2c1da 897 case sAcceptEnv:
898 while ((arg = strdelim(&cp)) && *arg != '\0') {
899 if (strchr(arg, '=') != NULL)
900 fatal("%s line %d: Invalid environment name.",
901 filename, linenum);
902 if (options->num_accept_env >= MAX_ACCEPT_ENV)
903 fatal("%s line %d: too many allow env.",
904 filename, linenum);
905 options->accept_env[options->num_accept_env++] =
906 xstrdup(arg);
907 }
908 break;
909
2717fa0f 910 case sDeprecated:
bbe88b6d 911 logit("%s line %d: Deprecated option %s",
2717fa0f 912 filename, linenum, arg);
913 while (arg)
914 arg = strdelim(&cp);
915 break;
916
a2144546 917 case sUnsupported:
918 logit("%s line %d: Unsupported option %s",
919 filename, linenum, arg);
920 while (arg)
921 arg = strdelim(&cp);
922 break;
923
2717fa0f 924 default:
925 fatal("%s line %d: Missing handler for opcode %s (%d)",
926 filename, linenum, arg, opcode);
927 }
928 if ((arg = strdelim(&cp)) != NULL && *arg != '\0')
929 fatal("%s line %d: garbage at end of line; \"%.200s\".",
930 filename, linenum, arg);
931 return 0;
932}
089fbbd2 933
2717fa0f 934/* Reads the server configuration file. */
5c53a31e 935
2717fa0f 936void
937read_server_config(ServerOptions *options, const char *filename)
938{
7528d467 939 int linenum, bad_options = 0;
2717fa0f 940 char line[1024];
7528d467 941 FILE *f;
2717fa0f 942
34934506 943 debug2("read_server_config: filename %s", filename);
2717fa0f 944 f = fopen(filename, "r");
945 if (!f) {
946 perror(filename);
947 exit(1);
948 }
949 linenum = 0;
950 while (fgets(line, sizeof(line), f)) {
951 /* Update line number counter. */
952 linenum++;
953 if (process_server_config_line(options, line, filename, linenum) != 0)
954 bad_options++;
8efc0c15 955 }
5260325f 956 fclose(f);
b7c70970 957 if (bad_options > 0)
958 fatal("%s: terminating, %d bad configuration options",
959 filename, bad_options);
8efc0c15 960}
git-cvsimport mirror of OpenSSH
This page took 0.571821 seconds and 5 git commands to generate.